Funds transfer system

ABSTRACT

A method of transferring funds includes the steps of linking a first &#34;smart card&#34; to a first financial institution, debiting an account held at the financial institution and recording a corresponding credit value in the first smart card. The first smart card is then linked to a second, similar device, the credit value in the first device is reduced, and a corresponding credit value is recorded in the second device. The second device is then linked to a second financial institution, the credit value in the second device is reduced, and a corresponding credit value is recorded in an account held at the second financial institution. The first and second devices each store at least a portion of a program which is run in a synchronized interactive manner between the first devices. The invention extends to a system for implementing the method.

This application claims priority of South African Patent Application No.907106 filed Sep. 6, 1990 in the Republic of South Africa, in the nameof inventors Mansvelt and Belamant..Iaddend.

BACKGROUND OF THE INVENTION

This invention relates to a method of and a system for transferringfunds.

At present, remote banking generally involves the use of magnetic stripecards, together with cheques or cash. The cards are encoded withinformation identifying holders of the cards. The information stored onthe card is typically a primary account number (PAN). Typically, thecard is inserted into an automatic teller machine (ATM) and a personalidentification number (PIN) is entered by the cardholder. In some cases,the ATM verifies that the entered PIN corresponds with a PIN calculatedby the ATM and then allows a transaction such as a withdrawal or depositof funds to take place. If the ATM is on-line to the relevant financialinstitution, the account of the cardholder may be debited immediately awithdrawal takes place, or the ATM may store the transactioninformation, with the cardholder's account being debited at a laterstage, utilising track 3 on the card. In any event, direct debiting orcrediting of an account is generally limited to a two way transactionbetween a financial institution and an account holder at the financialinstitution.

Cheques, credit cards, debit cards and cash are also utilised for thepurchasing of goods and services. However, these systems are cumbersomeand risky and, if provided as on-line services, are relativelyunreliable and expensive.

SUMMARY OF THE INVENTION

According to the invention a method of transferring funds includes thesteps of linking a first portable data storage and processing device toa first financial institution; debiting an account held at the financialinstitution and recording a corresponding credit value in the firstportable data storage and processing device; linking the first portabledata storage device to a second, similar device; reducing the creditvalue in the first device and recording a corresponding credit value inthe second device; linking the second portable data storage andprocessing device to a second financial institution; reducing the creditvalue in the second device; and recording a corresponding credit valuein an account held at the second financial institution.

Preferably, the first and second devices each store at least a portionof a program which is run in a synchronised interactive manner betweenthe first and second devices.

A terminal means may be provided which receives the first and seconddevices and permits data transfer therebetween, the terminal meansoperating under the control of a stored program to facilitateinteraction of the first and second devices.

The first and second financial institutions may be one and the same ordifferent banks, building societies or other similar institutions.

The first and second portable data storage and processing devices arepreferably "smart cards" comprising electronic data storage andprocessing circuitry on a credit card-like substrate, operating underthe control of stored software.

The first device may be allocated to an individual registered at thefirst financial institution, while the second device may be allocated toa retailer or other commercial entity, the magnitude of the reduction inthe credit value stored in the first device corresponding to the valueof a transaction between the individual and the retailer or commercialentity.

The second device may total the credit values recorded therein, so thatthe credit value recorded at the second financial institutioncorresponds to the total of all credit values recorded in the seconddevice in a predetermined period. Further according to the invention asystem for transferring funds includes first and second portable datastorage and processing devices; first terminal means for linking thefirst device to a first financial institution; second terminal means forlinking the second device to a second financial institution; and thirdterminal means adapted to receive the first and second devices and topermit data transfer between them, so that a credit value stored in thefirst device which corresponds to a debit from an account held at thefirst financial institution can be reduced by a desired amount and acorresponding credit value can be recorded in the second device, thesecond device being adapted to transfer the credit value stored thereinto an account held at the second financial institution.

Preferably, the first and second devices each store at least a portionof a program which is run in a synchronised interactive manner betweenthe first and second devices.

The first and second portable data storage and processing devices arepreferably "smart cards" comprising electronic data storage andprocessing circuitry on a credit card-like substrate, operating underthe control of stored software.

The first and second terminal means are preferably adapted to link therespective smart cards to the respective financial institutions via adigital or analogue data network.

The third terminal means is preferably a card reader device adapted toreceive both smart cards and to allow data transfer therebetween.

Preferably, the card reader device operates under the control of astored program which facilitates the interaction of the first and secondsmart cards.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic illustration of a funds transfer system accordingto the invention;

FIG. 2 is a schematic illustration of a basic mode of operation of thesystem of FIG. 1;

FIG. 3 is a basic schematic block diagram of a card reader device usedin the system of FIG. 1; and

FIGS. 4 to 7 illustrate schematically several different operationspossible with the system of FIG. 1.

DESCRIPTION OF AN EMBODIMENT

The funds transfer system illustrated schematically in the drawings isdesigned to allow the direct transfer of funds from a first financialinstitution to a cardholder, from the cardholder to a retailer, and fromthe retailer to a second financial institution, via an analogue ordigital data network. In order to allow the necessary data to betransferred in a convenient manner, use is made of "smart cards". Suchdevices are well known and comprise a credit card-like substrate onwhich is mounted an integrated circuit containing a central processingunit (CPU) and associated random access memory (RAM) and read-onlymemory (ROM), as well as an electrically erasable programmable read-onlymemory (EEPROM). Contacts on the surface of the substrate allow asuitable card reader device to apply power to the computer on the cardand permit data transfer to and from the computer.

The operation of the system is illustrated in a highly simplified formin the diagram of FIG. 2. In the first leg of the process, a card holderobtains funds from an account held at a financial institution (FI). Thisis carried out in real time or on-line via a funds transfer machine(FTM) which is linked to the financial institution via the data network.The cardholder selects an amount to be credited to his personalisedsmart card (referred to hereinafter as a client card), and a creditbalance on his credit card is increased, while the balance in hisaccount at the financial institution is debited correspondingly.

The cardholder can now use his client card to conduct financialtransactions of different kinds, in either an on-line or an off-linemanner. Typically, as shown in FIG. 2, the client card will be used bythe cardholder in a transaction in which goods are purchased from aretailer. The retailer is provided with a point of sale (POS) devicewhich is a self-contained, battery powered smart card reading device. Toconduct a transaction, both the client card and a personalised smartcard of the retailer (hereinafter called a retailer card) are bothinserted into the POS device, which operates under the control of astored program to allow communication between the client card and theretailer card. The amount of the transaction is entered into the POSdevice. This amount is then presented to the client card, which reducesthe credit value stored in its EEPROM by the amount of the transaction,and forwards this amount to the retailer card which increases a creditvalue stored therein by the same amount.

Once the transaction is completed, the client card of the cardholder isremoved from the POS device while the retailer card remains in thedevice. The retailer will typically conduct a number of differenttransactions with different cardholders during the course of a businessday, and an accumulating total credit value will be stored in theretailer card. At intervals, typically at the end of each working day,the retailer will remove the retailer card from the POS device andinsert it into a dedicated funds transfer machine (FTM) which is linkedto a second financial institution (that is, the financial institution atwhich the retailer holds an account) via the electronic data network.The transaction information stored on the retailer card is transferredto the retailer's financial institution, which identifies the accountsof the various cardholders who have conducted transactions with theretailer, and which then credits the retailer's account with the totalvalue of the transactions, and debits the financial institution'scardholder account with the value of the respective transaction. Amagnetic tape record of the data transmissions conducted over the datanetwork allows the respective financial institutions to generate printedstatements for the cardholders and the retailer, if necessary. Thecardholder can also use his card in an on-line manner, via an on-linefunds transfer machine, to settle accounts, credit his card with asalary payment or another deposited amount, or conduct similar on-linetransactions.

The advantage of an electronic funds transfer system of the kinddescribed above in broad terms is that both conventional currency, suchas cash or cheques, and conventional credit transactions, such a thoseemploying credit cards, can be replaced. Delays in processing financialtransactions are reduced or eliminated, while the use of cards on whicha credit balance is stored ensures the availability of funds and reducesthe risks associated with cash or credit transactions. Numerous otherbenefits arise from the use of an electronic data network, allowing areduction in record-keeping and administration and reducing thelikelihood of errors.

The operation of the funds transfer system will now be described ingreater detail. A crucial part of the system is a card reader devicewhich is adapted to receive two smart cards simultaneously, andeffectively to allow communication between the cards. The card readerdevice is essentially conventional except for the provision of a secondcard reader slot and associated input/output circuitry. A suitabledevice is a type P500 terminal manufactured by Crouzet Sextant Avioniqueof France.

The circuitry of the card reader device is illustrated schematically inFIG. 3, and is based around an Intel type 8096 microprocessor 10.Associated with the microprocessor 10 is a random access memory (RAM) 12and a read-only memory (ROM) 14. First and second smart card readers 16and 18 and an input/output (I/O) interface 20 comprising an RS232interface are connected to the microprocessor 10. Finally, a keypad 22,a liquid crystal display (LCD) 24 and a miniaturised paper printer 26are also controlled by the microprocessor 10. The device is powered by apower supply circuit 28 comprising a rechargeable battery pack whichallows the card reader to be operated for up to 30 days beforereplacement or recharging of the battery is necessary.

A boot program is stored in the ROM 14, which initialises the cardreader when it is turned on. An operating system and softwarecontrolling the operation of the card reader is downloaded into the RAM12 via the I/O interface 20, and must be reloaded if power is removedfrom the device.

The above described card reader device is used as a stand-alone point ofsale (POS) device allowing communication between the client cart of acardholder and the retailer card of the retailer. An essentially similarmachine is used as a funds transfer machine (FTM) to allow communicationbetween the client card and the cardholders financial institution, andto allow communication between the retailer card and the retailersfinancial institution. In this case however a modem is included in thedevice to link it to the electronic data network and thus to therespective financial institutions. In either case, the stored computerprogram in the RAM controls the operation of the device and generatesprompts and other information which is displayed on the liquid crystaldisplay 24 in use.

The first leg of a typical sequence of transactions will now bedescribed, in which a cardholder transfers funds from an account held athis financial institution to his own client card. This is done using acard reader device as described above, configured as a funds transfermachine (FTM). Using the keypad 22, the cardholder selects a "Fundstransfer" option and enters the amount to be transferred and the type ofaccount to be debited. A display is generated on the liquid crystaldisplay 24, prompting the cardholder to enter this card into the cardreader device. Power is now applied to the card reader in the device,which applies power to the circuitry on the card itself. Themicroprocessor on the card initialises itself and outputs data to thecard reader device indicating its operating parameters, including thebaud rates, clock speed and data format which it uses. The card alsooutputs an identification code to the card reader device, indicatingthat it is a client card of the correct type.

Once the handshaking procedure between the client card and the FTMcontrol card (as described in Appendices 1 and 2) is completedcorrectly, the transaction can continue. The cardholder is prompted toenter a password, which is checked with a corresponding code stored in asecure memory area on the card. If the correct password is not enteredwithin three attempts, the card is disabled. Assuming that the correctpassword is entered, a file information table in the card memory isread, providing details, inter alia, of the current credit balancestored in the card.

The FTM now compiles a message for transmission via the data network,which includes critical fields such as the amount to be transferred, atransaction sequence number (TSN) and a unique sequence number (USN).The message is transmitted via the data network to the financialinstitution at which the cardholder holds an account. Assuming thatthere are sufficient funds in the cardholder's account to meet therequest, the financial institution debits the cardholder's account andmoves the funds to a holding account. The amount of the transfer,together with the TSN and the USN, is encrypted under the issuer key ofthe financial institution and transmitted back to the data network,which encrypts this encrypted data further with a data network key. Thedatabase of the data network is also updated with details of thetransaction.

The message is routed back to the FTM, which extracts the encryptedportion of the data and transmits it, together with the data and accounttype, to the client card. The client card decrypts the encrypted datausing the random key and the issuer key (both of which are storedsecurely on the card) and will check that the TSN and the USN in thedecrypted data match the original TSN and USN. Assuming that a matchoccurs, the transaction is then written to the client card transactionfile, and the current credit balance is updated on the card.

The FTM now runs a utility program on the client card which sends an 8byte encrypted message to the FTM containing the TSN, the USN, and acode indicating whether the transaction was good or bad. The TSN storedin the card is incremented. The above data is encrypted with the datanetwork key and is transmitted via the network to the financialinstitution for confirmation of the transaction. The display of the FTMnow prompts the cardholder to remove his client card.

The result of the above transaction is that an amount of fundscorresponding to the figure entered by the cardholder into the FTM isdeducted from the credit balance of his account at the financialinstitution and transferred to a holding account of the financialinstitution. The credit balance stored on the client card is updated bythe same amount, and can now be used to conduct further transactions. Astate table of the above described transaction is shown in Appendix 1.

The above described transaction takes place between the financialinstitution and a so-called secure card account (SCA) which can only beaccessed via a high security encryption/decryption procedure. The clientcard also makes provision for a high speed self service (HSSS) accountwhich is limited to a relatively low maximum credit balance and whichdoes not require the use of a password to be debited. This account canbe used, for example, when using vending machines or the like, whererelatively small amounts are involved. A state table showing how fundsare transferred from the secure card account (SCA) to the high speedself service (HSSS) account is shown in Appendix 2.

Assuming now that cardholder wishes to conduct a transaction with aretailer, such as the purchase of goods or services, the card readerterminal illustrated in FIG. 3 is used, configured as a point of sale(POS) device. When this device is turned on by the retailer, the displayprompts the retailer to enter the retailer card into the appropriateslot at the bottom of the machine. The card outputs its identity code tothe device, which verifies that it is a retailer card, and a handshakingprocedure is carried out as described above with reference to the fundstransfer machine.

The retailer card has a merchant information file which stores, interalia, the merchant's name, a "hot card" file and transaction batchnumbers. The main menu of the software stored in the terminal is nowdisplayed, and offers a choice of "Sales" or "Utilities". Assuming that"Sales" is selected, a second menu appears, offering a choice of"Purchase" or "Card balance". The latter option allows the retailer tocheck the running total credit balance stored in his card.

Assuming that the "Purchase" option is selected, the display will thenprompt the retailer to enter the amount of the transaction. This can bedone directly via the keypad 22, or via the input/output interface 20,if the card reader terminal is connected to a till. The display nowprompts the cardholder to enter his client card into the second cardreader, and a handshaking procedure once again takes place to ensurethat the correct type of card is being used.

The sequence of events is described in the state table of Appendix 3,and includes the generation of a random key by the client card which isthen used in the subsequent messages for this transaction. The retailercard checks to see whether the credit balance stored thereon is belowthe permissable maximum and that the amount of the transaction will notcause the balance to exceed the maximum. Information from the clientcard is now read into the RAM 12 of the terminal, including the clientidentification code and balance information. Once the security measures(up to and including Utility 4 in Appendix 3) have been carried out, theterminal prompts the card holder to indicate whether a secure cardaccount (SCA) transaction or a high speed self service (HSSS)transaction is desired. The terminal now runs a utility to check whetherthe client card is on the "hot card" list stored on the retailer card,and if so, aborts the transaction, and switches off the client card.

The terminal now prompts the cardholder to enter his password. If thecorrect password is recognised, a flag is set in the RAM of the card.The amount of the transaction, the date, the retailer identity, and thetransaction batch number are now transferred directly to the client cardin an unencrypted form. The microprocessor of the client card checksthat the flag in the RAM is correctly set to indicate the use of thecorrect password, and checks the identity of the retailer card to ensurethat it is in fact a retailer card. The transaction information is thenstored in the RAM of the card. The transaction information is nowwritten to the transaction file on the client card and the balance inthe client card is updated (that is, reduced) and stored in a nonvolatile memory area of the card. If the amount of the transaction isgreater than the stored balance (that is, an impermissible transaction)the card is put into a CPU loop so that it "hangs", and cannot be resetexcept by aborting the transaction. Once the transaction has beenencrypted and recorded, the RAM of the card is cleared.

The terminal now transmits the encrypted transaction information to theretailer card, and the cardholder's identification number and the recordsequence number are checked, both to ensure a valid transaction and toensure correct decryption. The accumulated credit balance on theretailer card is now updated. Similarly to the client card, the cardwill "hang" if the total balance exceeds the maximum permissible limit.The amount of the transaction, the client card unique sequence number(USN), and the financial institution issuer code are now encrypted withthe key of the data network, and this information is stored in a nonvolatile area on the retailer card. The total number of SCA transactionsis incremented, and the transaction information is written to theretailer card transaction file. This information is further encryptedwith the card reader terminal key, as contained on the retailer card.

The encrypted information is now transferred to the RAM 12 of the cardreader terminal, and a transaction record is printed using the printer26. On the same record, an encrypted record of the transaction isprinted, in a 16 byte format, to ensure, if necessary, that the retailerhas not modified the POS device software. The cardholder is now promptedto remove his card, and the original main menu is displayed.

The result of the above transaction is that the credit balance on theclient card is reduced by the amount of the transaction, and theaccumulated credit balance on the retailer card is increasedcorrespondingly. The printed transaction record, including its encrypteddata, allows errors to be traced. The entire transaction takes place onan off-line basis, using only the two smart cards (the client card andthe retailer card) and the stand-alone card reader terminal.

In the case of a high speed self service (HSSS) transaction, asimplified procedure is followed. A state table of such a transaction isshown in Appendix 4.

The next step in the operation of the system is for the retailer tosettle the transactions, whether SCA or HSSS transactions, recorded onhis retailer card. The settlement procedure is once again an on-lineprocedure, requiring the use of a funds transfer machine (FTM). This maybe a dedicated device located on the premises of the retailer, or may belocated elsewhere.

Using the keypad of the FTM, the retailer chooses the "settlement"option, and is prompted via the display to insert his card. The FTM thenconducts the usual handshaking procedure between the FTM card insertedinto the machine and the retailer card. A utility on the retailer cardis now run which outputs the batch total, date, batch number, number oftransactions and the retailer card USN, all encrypted under the datanetwork key. This data is then transmitted to the data network throughthe pre-initialised communications link, typically a XXX pad.Transactions which are encrypted using the data network key are sent tothe data network on a one to one basis, and are confirmed by thenetwork. The network decrypts the received data and conducts a number ofvalidity checks, for example, by checking the sum of all transactionamounts against the total in the batch data.

The batch number and the new batch data are now encrypted by the datanetwork with the data network key, and transmitted back to the FTM. TheFTM transfers this data to the retailer card, and the retailer carddecrypts the data and checks that the batch numbers remain the same. Theretailer card then increments the batch number and updates it, entersthe batch date, and resets all totals to zero. The transaction addresson the file information table (FIT) on the card is reset to the firstaddress position, and a bit flag is set which allows the transactionfile to be overwritten by the data network hot card file. A utility isthen run to write the hot card file to the transaction file. Finally,the FTM prompts the retailer to remove the retailer card. The batchtransaction data is transmitted via the data transfer network to thefinancial institution of the retailer, updating the retailer's accountby crediting it with the total value of the transactions. The networkalso sends a message to the financial institution of each cardholder whoconducted a transaction in the particular batch concerned, authorising atransfer of funds from the holding account of the cardholder's financialinstitution to the retailer's financial institution. A state tableillustrating the above settlement procedure appears in Appendix 5.

It will be apparent from the above description that the entire chain offinancial transactions is accomplished by the direct transfer ofinformation between the financial institutions concerned and the clientand retailer smart cards. By the use of high levels of encryption, ahigh security level is achieved. This is made possible mainly by the useof intelligent cards which can communicate with one another, via anintelligent terminal device, which permits the necessary high standardof encryption/decryption and other security procedures to be achieved.Diagrams illustrating the various transactions are shown in FIGS. 4 to7.

An important aspect of the invention is the running of a program(application) which is effectively split between the two (or more) CPU'sof the smart cards. The running of these CPU's is facilitated andsynchronised by the card reader terminal, which itself runs a storedprogram. However, the transaction is controlled by the programs storedon the cards themselves, while the terminal merely allows directcommunication between the cards, consistent with the operating protocolof the cards.

Although the funds transfer system of the invention has be described inrelation to a conventional, typical series of transactions, it will beappreciated that the applicability of the system is wider than thespecific example given above. The described system can be used tooperate savings, transmission and current accounts, as well as creditaccounts (including general credit accounts and specific credit accountssuch as petrol or garage type accounts). The system is also applicableto the running of mortage bond accounts, subscription deposit accounts,or foreign exchange accounts, for example.

                                      APPENDIX 1                                  __________________________________________________________________________    Client (Utility)          FTM (Control)                                       __________________________________________________________________________    UTIL.sub.-- 1:                                                                Function: Generate random number. Encrypt random number.                           card type and currency with transaction key.                                  Output.                                                                  Dependencies: None                                                                                      UTIL.sub.-- 2:                                                                Function: Input. Decrypt with transaction key.                                Encrypt                                                                            random number and card type with random                                  key.                                                                          Dependencies: Utility card must be client                                     card.                                                                         UTIL.sub.-- 3:                                                                Function: Output.                                                             Dependencies: None.                                 UTIL.sub.-- 2:                                                                Function: Input. Decrypt with random key.                                     Dependencies: Random number must match random number                                 generated in UTIL.sub.-- 1.                                            UTIL.sub.-- 9:                                                                Function: Input. Decrypt with Metrolink key and issuer                             key. Write transaction. Update balance. Clear                                 RAM.                                                                     Dependencies: Control card presented in UTIL.sub.-- 2 must be                        FTM card.                                                                     Password must have been presented.                                            Client transaction sequence numbers must                                      match.                                                                        Transactions amount cannot overflow SCA                                       balance.                                                               __________________________________________________________________________

                                      APPENDIX 2                                  __________________________________________________________________________    Client (Utility)          FTM (Control)                                       __________________________________________________________________________    UTIL.sub.-- 1:                                                                Function: Generate random number. Encrypt random number.                           card type and currency with transaction key.                                  Output.                                                                  Dependencies: None                                                                                      UTIL.sub.-- 2:                                                                Function: Input. Decrypt with transaction key.                                Encrypt                                                                            random number and card type with random                                  key.                                                                          Dependencies: Utility card must be client                                     card.                                                                         UTIL.sub.-- 3:                                                                Function: Output.                                                             Dependencies: None.                                 UTIL.sub.-- 2:                                                                Function: Input. Decrypt with random key.                                     Dependencies: Random number must match random number                                 generated in UTIL.sub.-- 1.                                            UTIL.sub.-- 7:                                                                Function: Input. Write transaction. Update balances.                               Clear RAM.                                                               Dependencies: Control card presented in UTIL.sub.-- 2 must be                        FTM card.                                                                     Password must have been presented.                                            Transaction amount cannot be greater than                                     SCA balance.                                                                  Transaction amount cannot overflow HSSS                                       balance.                                                               __________________________________________________________________________

                                      APPENDIX 3                                  __________________________________________________________________________    Client (Utility)          Retailer (Control)                                  __________________________________________________________________________    UTIL.sub.-- 1:                                                                Function: Generate random number. Encrypt random number.                           card type and currency with transaction key.                                  Output.                                                                  Dependencies: None                                                                                      UTIL.sub.-- 4:                                                                Function: Input. Decrypt with transaction key.                                Encrypt                                                                            random number, record sequence number &                                  card                                                                               type with random key.                                                    Dependencies: Retailer card can not be full.                                       Utility card must be client card.                                             Currencies must match.                                                   UTIL.sub.-- 5:                                                                Function: Output.                                                             Dependencies: None.                                 UTIL.sub.-- 2:                                                                Function: Input. Decrypt with random key.                                     Dependencies: Random number must match random number                                 generated in UTIL.sub.-- 1.                                            UTIL.sub.-- 4:                                                                Function: Input. Handle information.                                          Dependencies: Password must have been presented.                                     Control card presented in UTIL.sub.-- 2 must be                               retailer card.                                                         UTIL.sub.-- 6:                                                                Function: Write transaction. Update balance. Encrypt                               amount, client card unique sequence number                                    and record sequence number with random key.                                   Output. Clear RAM.                                                       Dependencies: Paynote amount presented to card in UTIL.sub.-- 4                      must be greater than zero.                                                    Paynote amount cannot be greater than SCA                                     balance.                                                                                         UTIL.sub.-- 6:                                                                Function: Input. Decrypt with random key.                                     Update balance.                                                                    Write transaction. Encrypt amount, client                                card                                                                               unique sequence number and issuer code                                   with                                                                               metrolink 1 key.                                                         Dependencies: Utility card presented in                                       UTIL.sub.-- 4 must be                                                                client card.                                                                  Record sequence number must match.                                            Paynote amount cannot overflow batch                                   total.                                                                        UTIL.sub.-- 5:                                                                Function: Output.                                                             Dependencies: None.                                 __________________________________________________________________________

                                      APPENDIX 4                                  __________________________________________________________________________    Client (Utility)          Retailer (Control)                                  __________________________________________________________________________    UTIL.sub.-- 1:                                                                Function: Generate random number. Encrypt random number.                           card type and currency with transaction key.                                  Output.                                                                  Dependencies: None                                                                                      UTIL.sub.-- 4:                                                                Function: Input. Decrypt with transaction key.                                Encrypt                                                                            random number, record sequence number &                                  card                                                                               type with random key.                                                    Dependencies: Retailer card can not be full.                                       Utility card must be client card.                                             Currencies must match.                                                   UTIL.sub.-- 5:                                                                Function: Output.                                                             Dependencies: None.                                 UTIL.sub.-- 2:                                                                Function: Input. Decrypt with random key.                                     Dependencies: Random number must match random number                                 generated in UTIL.sub.-- 1.                                            UTIL.sub.-- 4:                                                                Function: Input. Handle information.                                          Dependencies: Control card presented in UTIL.sub.-- 2 must be                        retailer card.                                                         UTIL.sub.-- 6:                                                                Function: Write transaction. Update balance. Encrypt                               amount, client card unique sequence number                                    and record sequence number with random key.                                   Output.                                                                  Dependencies: Paynote amount presented to card in UTIL.sub.-- 4                      must be greater than zero.                                                    Paynote amount cannot be greater than HSSS                                    balance.                                                                                         UTIL.sub.-- 6:                                                                Function: Input. Decrypt with random key.                                     Update balance.                                                                    Write transaction. Encrypt amount, client                                card                                                                               unique sequence number and issuer code                                   with                                                                               metrolink 1 key.                                                         Dependencies: Utility card presented in                                       UTIL.sub.-- 4 must be                                                                client card.                                                                  Record sequence number must match.                                            Paynote amount cannot overflow batch                                   total.                                                                        UTIL.sub.-- 5:                                                                Function: Output.                                                             Dependencies: None.                                 __________________________________________________________________________

                                      APPENDIX 5                                  __________________________________________________________________________    Retailer (Utility)       FTM (Control)                                        __________________________________________________________________________                             UTIL.sub.-- 1:                                                                Function: Generate random number. Encrypt random                              number                                                                             and card type with transaction key.                                      Output.                                                                       Dependencies: None                                   UTIL.sub.-- 1:                                                                Function: Input. Decrypt with transaction key.                                Dependencies: None                                                            UTIL.sub.-- 2:                                                                Function: Encrypt batch number, batch total and batch                              date with metrolink key. Encrypt batch number.                                retailer card unique sequence number & total                                  number of transactions with metrolink key.                                    Output.                                                                  Dependencies: Control card presented in UTIL.sub.-- 1 must be                       FTM card.                                                               UTIL.sub.-- 3:                                                                Function: Input. Decrypt with metrolink key. Reset batch.                     Dependencies: Batch number must match batch number                                   encrypted in UTIL.sub.-- 2.                                            __________________________________________________________________________

We claim:
 1. A method of transferring funds including the stepsof:linking a first portable data storage and processing device to afirst financial institution, the first portable data storage devicestoring at least a portion of a program; debiting an account held at thefinancial institution and recording a corresponding credit value in thefirst portable data storage and processing device; linking the firstportable data storage device to a second, similar device via a terminalmeans, the second portable data storage device storing at least aportion of a program which is run in a synchronized, interactive mannerwith the portion of the program stored in the first portable datastorage device; reducing the credit value in the first device andrecording a corresponding credit value in the second device; linking thesecond portable data storage and processing device to a second financialinstitution; reducing the credit value in the second device; andrecording a corresponding credit value in an account held at the secondfinancial institution.
 2. A method according to claim 1 wherein theterminal means receives the first and second devices and permits datatransfer therebetween, the terminal means operating under the control ofa stored program to facilitate interaction of the first and seconddevices.
 3. A method according to claim 1 wherein the first and secondfinancial institutions are one and the same bank, building society oranother similar institution.
 4. A method according to claim 1 whereinthe first and second financial institutions are different banks,building societies or other similar financial institutions.
 5. A methodaccording to claim 1 wherein the first and second portable data storageand processing devices are "smart cards" comprising electronic datastorage and processing circuitry on a credit card-like substrate,operating under the control of stored software.
 6. A method according toclaim 1 wherein the first device is allocated to an individualregistered at the first financial institution, while the second deviceis allocated to a retailer or other commercial entity, the magnitude ofthe reduction in the credit value stored in the first devicecorresponding to the value of a transaction between the individual andthe retailer or commercial entity.
 7. A method according to claim 1wherein the second device totals the credit values recorded therein, sothat the credit value recorded at the second financial institutioncorresponds to the total of all credit values recorded in the seconddevice in a predetermined period.
 8. A system for transferring fundsincluding:first and second portable data storage and processing devices,each storing at least a portion of a program which is run in asynchronized, interactive manner between the first and second devices;first terminal means for linking the first device to a first financialinstitution; second terminal means for linking the second device to asecond financial institution; and third terminal means adapted toreceive the first and second devices and to permit data transfer betweenthem, so that a credit value stored in the first device whichcorresponds to a debit from an account held at the first financialinstitution can be reduced by a desired amount and a correspondingcredit value can be recorded in the second device, the second devicebeing adapted to transfer the credit value stored therein to an accountheld at the second financial institution.
 9. A system according to claim8 wherein the first and second portable data storage and processingdevices are "smart cards" comprising electronic data storage andprocessing circuitry on a credit card-like substrate, operating underthe control of stored software.
 10. A system according to claim 9wherein the first and second terminal means are adapted to link therespective smart cards to the respective financial institutions via adata network.
 11. A system according to claim 9 wherein the thirdterminal means is a card reader device adapted to receive both smartcards and to allow data transfer therebetween.
 12. A system according toclaim 11 wherein the card reader device operates under the control of astored program which facilitates the interaction of the first and secondsmart cards. .Iadd.
 13. A method of transferring fundscomprising:linking a first smart card to a first financial institution,said first smart card storing at least a portion of a program; debitinga first account held at said first financial institution and recording acorresponding credit value in said first smart card; linking said firstsmart card to a second, similar smart card via a terminal means, saidsecond smart card storing at least a portion of said program which isrun in a synchronized, interactive manner with the portion of saidprogram stored in said first smart card, said program being consistentwith a value transfer protocol of said smart cards; reducing said creditvalue in said first smart card and recording a corresponding creditvalue in said second smart card; linking said second smart card to asecond financial institution; reducing said credit value in said secondsmart card; and recording a corresponding credit value in an accountheld at said second financial institution..Iaddend..Iadd.
 14. A methodas recited in claim 13 wherein said terminal means is a single unitincluding a keypad for entering said credit value and a display fordisplaying said credit value and receives said first and second smartcards and permits data transfer therebetween, said terminal meansfacilitating interaction of said first and second smartcards..Iaddend..Iadd.15. A method as recited in claim 13 wherein saidfirst smart card is allocated to an individual registered at said firstfinancial institution and said second smart card is allocated to acommercial entity, and wherein the magnitude of the reduction in saidcredit value stored in said first smart card corresponds to the value ofa transaction between said individual and said commercial entity,whereby the direct transfer of currency from said individual to saidcommercial entity is allowed..Iaddend..Iadd.16. A method as recited inclaim 13 wherein said value transfer protocol ensures implementation ofa predetermined transaction sequence to effect the transfer of creditvalue from said first smart card to said second smartcard..Iaddend..Iadd.17. A method as recited in claim 16 wherein saidfirst and second smart cards exchange messages during said transactionsequence and wherein subsequent messages carry information from previousmessages, whereby implementation of said predetermined transactionsequence is ensured..Iaddend..Iadd.18. A method as recited in claim 13further comprising:sending a first random challenge from said firstsmart card to said second smart card, thereby ensuring to said firstsmart card that said second smart card is valid; and sending a secondrandom challenge from said second smart card to said first smart card,thereby ensuring to said second smart card that said credit value insaid first smart card has been reduced..Iaddend..Iadd.19. A method asrecited in claim 13 wherein at least one of said smart cards is embodiedwithin an integrated circuit mounted on a substrate and wherein contactson a surface of said substrate allow said terminal means to apply powerto said integrated circuit and to permit data transfer to and from saidintegrated circuit..Iaddend..Iadd.20. A method of transferring fundscomprising: linking a first smart card to a first financial institution,said first smart card storing at least a portion of a program; debitinga first account held at said first financial institution and recording acorresponding credit value in said first smart card; linking said firstsmart card to a second, similar smart card via a terminal means, saidsecond smart card storing at least a portion of said program which isrun in a synchronized, interactive manner with the portion of saidprogram stored in said first smart card; exchanging messages betweensaid first and second smart cards, each reply message being dependentupon information received from an earlier message; determining whethereach received message is valid using said information received from anearlier message, wherein when it is determined that a message is notvalid, said program terminates; reducing said credit value in said firstsmart card and recording a corresponding credit value in said secondsmart card; linking said second smart card to a second financialinstitution; reducing said credit value in said second smart card; andrecording a corresponding credit value in a second account held at saidsecond financial institution..Iaddend..Iadd.21. A method as recited inclaim 20 wherein said terminal means is a single unit including a keypadfor entering said credit value and a display for displaying said creditvalue and receives said first and second smart cards and permits datatransfer therebetween, said terminal means facilitating interaction ofsaid first and second smart cards..Iaddend..Iadd.22. A method oftransferring funds comprising:linking a first smart card to a firstfinancial institution, said first smart card storing at least a portionof a program; debiting a first account held at said first financialinstitution and recording a corresponding credit value in said firstsmart card; linking said first smart card to a second, similar smartcard via a terminal means, said second smart card storing at least aportion of said program; running said program in a synchronized,interactive manner between said smart cards; a step for performing thefunction of ensuring that said first and second smart cards are validand are continuously linked during said running, whereby fraud isreduced; reducing said credit value in said first smart card andrecording a corresponding credit value in said second smart card;linking said second smart card to a second financial institution;reducing said credit value in said second smart card; and recording acorresponding credit value in a second account held at said secondfinancial institution..Iaddend..Iadd.23. A method as recited in claim 22wherein said terminal means is a single unit including a keypad forentering said credit value and a display for displaying said creditvalue and receives said first and second smart cards and permits datatransfer therebetween, said terminal means facilitating interaction ofsaid first and second smart cards..Iaddend..Iadd.24. A smart card fortransferring funds, said smart card being arranged for effecting thefollowing:linking a first smart card to a first financial institution,said first smart card storing at least a portion of a program; debitinga first account held at said first financial institution and recording acorresponding credit value in said first smart card; linking said firstsmart card to a second, similar smart card via a terminal means, saidsecond smart card storing at least a portion of said program which isrun in a synchronized, interactive manner with the portion of saidprogram stored in said first smart card, said program being consistentwith a value transfer protocol of said smart cards; reducing said creditvalue in said first smart card and recording a corresponding creditvalue in said second smart card; linking said second smart card to asecond financial institution; reducing said credit value in said secondsmart card; and causing a corresponding credit value to be recorded in asecond account held at said second financialinstitution..Iaddend..Iadd.25. A smart card as recited in claim 24wherein said terminal means is a single unit including a keypad forentering said credit value and a display for displaying said creditvalue, and wherein said terminal means receives said first and secondsmart cards and permits data transfer therebetween and facilitatesinteraction of said first and second smart cards..Iaddend..Iadd.26. Asmart card as recited in claim 24 wherein said first smart card isallocated to an individual registered at said first financialinstitution and said second smart card is allocated to a commercialentity, and wherein the magnitude of the reduction in said credit valuestored in said first smart card corresponds to the value of atransaction between said individual and said commercial entity, wherebythe direct transfer of currency from said individual to said commercialentity is allowed..Iaddend..Iadd.27. A smart card as recited in claim 24being further arranged wherein said value transfer protocol ensuresimplementation of a predetermined transaction sequence to effect thetransfer of credit value from said first smart card to said second smartcard..Iaddend..Iadd.28. A smart card as recited in claim 24 beingfurther arranged wherein said first and second smart cards exchangemessages during said transaction sequence and wherein subsequentmessages carry information from previous messages, wherebyimplementation of said predetermined transaction sequence isensured..Iaddend..Iadd.29. A smart card as recited in claim 24 beingfurther arranged for effecting the following: sending a first randomchallenge from said first smart card to said second smart card, therebyensuring to said first smart card that said second smart card is valid;and sending a second random challenge from said second smart card tosaid first smart card, thereby ensuring to said second smart card thatsaid credit value in said first smart card has beenreduced..Iaddend..Iadd.30. A smart card as recited in claim 24 beingembodied within an integrated circuit mounted on a substrate and havingcontacts on a surface of said substrate to allow said terminal means toapply power to said integrated circuit and to permit data transfer toand from said integrated circuit..Iaddend..Iadd.1. A system fortransferring funds comprising:first and second smart cards, each storingat least a portion of a program which is run in a synchronized,interactive manner between said first and second smart cards, saidprogram being consistent with a value transfer protocol of said smartcards; first terminal means for linking said first smart card to a firstfinancial institution; second terminal means for linking said secondsmart card to a second financial institution; and third terminal meansadapted to receive said first and second smart cards and to permit datatransfer between them, so that a credit value stored in said first smartcard which corresponds to a debit from an account held at said firstfinancial institution can be reduced by a desired amount and acorresponding credit value can be recorded in said second smart card,said second smart card being adapted to transfer said credit valuestored therein to an account held at said second financialinstitution..Iaddend..Iadd.32. A system as recited in claim 31 whereinsaid third terminal means is a single unit including a keypad forentering said credit value and a display for displaying said creditvalue and receives both smart cards and allows data transfertherebetween, said third terminal means facilitating interaction of saidfirst and second smart cards..Iaddend..Iadd.33. A system as recited inclaim 31 wherein said first smart card is allocated to an individualregistered at said first financial institution and said second smartcard is allocated to a commercial entity, and wherein the magnitude ofthe reduction in said credit value stored in said first smart cardcorresponds to the value of a transaction between said individual andsaid commercial entity, whereby the direct transfer of currency fromsaid individual to said commercial entity is allowed..Iaddend..Iadd.34.A system as recited in claim 31 wherein said value transfer protocolensures implementation of a predetermined transaction sequence to effectthe transfer of said credit value from said first smart card to saidsecond smart card..Iaddend..Iadd.
 5. A system as recited in claim 34wherein said first and second smart cards exchange messages during saidtransaction sequence and wherein subsequent messages carry informationfrom previous messages, whereby implementation of said predeterminedtransaction sequence is ensured..Iaddend..Iadd.36. A system as recitedin claim 31wherein said first smart card is further adapted to send afirst random challenge to said second smart card, thereby ensuring tosaid first smart card that said second smart card is valid; and whereinsaid second smart card is further adapted to send a second randomchallenge to said first smart card, thereby ensuring to said secondsmart card that said credit value in said first smart card has beenreduced..Iaddend..Iadd.37. A system according to claim 31 wherein atleast one of said smart cards is embodied within an integrated circuitmounted on a substrate and contacts on a surface of said substrate allowsaid terminal means to apply power to said integrated circuit and topermit data transfer to and from said integratedcircuit..Iaddend..Iadd.38. A system for transferring funds comprising:first and second smart cards, each storing at least a portion of aprogram which is run in a synchronized, interactive manner between saidfirst and second smart cards; said program stored on said smart cardsbeing arranged to perform the following when run,exchanging messagesbetween said first and second smart cards, each reply message beingdependent upon information received from an earlier message, anddetermining whether each received message is valid using saidinformation received from an earlier message, wherein when it isdetermined that a message is not valid, said program terminates; firstterminal means for linking said first smart card to a first financialinstitution; second terminal means for linking said second smart card toa second financial institution; and third terminal means adapted toreceive said first and second smart cards and to permit data transferbetween them, so that a credit value stored in said first smart cardwhich corresponds to a debit from an account held at said firstfinancial institution can be reduced by a desired amount and acorresponding credit value can be recorded in said second smart card,said second smart card being adapted to transfer said credit valuestored therein to an account held at said second financialinstitution..Iaddend..Iadd.39. A system as recited in claim 38 whereinsaid third terminal means is a single unit including a keypad forentering said credit value and a display for displaying said creditvalue and receives both smart cards and allows data transfertherebetween, said third terminal means facilitating interaction of saidfirst and second smart cards..Iaddend..Iadd.40. A system fortransferring funds comprising:first and second smart cards, each storingat least a portion of a program which is run in a synchronized,interactive manner between said first and second smart cards; means forperforming the function of ensuring that said first and second smartcards are valid and are continuously linked during said program, wherebyfraud is reduced; first terminal means for linking said first smart cardto a first financial institution; second terminal means for linking saidsecond smart card to a second financial institution; and third terminalmeans adapted to receive said first and second smart cards and to permitdata transfer between them, so that a credit value stored in said firstsmart card which corresponds to a debit from an account held at saidfirst financial institution can be reduced by a desired amount and acorresponding credit value can be recorded in said second smart card,said second smart card being adapted to transfer said credit valuestored therein to an account held at said second financialinstitution..Iaddend..Iadd.41. A system as recited in claim 40 whereinsaid third terminal means is a single unit including a keypad forentering said credit value and a display for displaying said creditvalue and receives both smart cards and allows data transfertherebetween, said third terminal means facilitating interaction of saidfirst and second smart cards..Iaddend.